Her emergence in cyberspace has made a huge business ransomware, named "Surgery Coffeer"- which has the ability to migrate to fool the locating mechanisms.
Her researchers Cybereason Labs, after examining various versions of it Kofer ransomware from around the world, discovered that they share the same construction and delivery techniques but also incorporate random variables to avoid static-signature and hash-based detection.
This fact led the team of researchers to believe that all the versions were created by the same team hacker which used a specific algorithm to mix and match the components differently, thus giving the ransomware APT-like escape capabilities.
His specimens Kofer analyzed by the experts had different hashes and features, but the same features and properties as the fake icons, fake filenames, and a particular packaging pattern that links the samples, which would appear to be unrelated to each other under other conditions, under a single business.
In addition to mechanisms that help avoid detection by sandboxes and dynamic detection tools, Kofer variants also include decorative data aimed at misleading researchers.
"The fact that Kofer variants come from a single source is an example of ransomware's commercialization to a whole new level," said Uri Sternfeld of Cybereason.
"Operation Kofer appears to be the first" drive-by "ransomware enterprise to incorporate an APT / nation-state complexity level, making its product a growing threat to companies.
With regard to the uncontrolled proliferation of variants, they were all found and compared in the previous weeks, and they are likely to be new every few days or hours!
Η Cybereason believes that Operation Kofer has already a pan-European presence, as confirmed by the researchers, who identified versions in Spain, Poland, Switzerland, Turkey and others.
